YOA Insurance Brokers Limited (“YOA”) is committed to ensuring its compliance with the requirements of all relevant data laws globally and in Nigeria. In this regard, YOA is committed to complying with the NIGERIA DATA PROTECTION REGULATION 2019 (“the Regulation”), its accompanying IMPLEMENTATION FRAMEWORK of NOVEMBER, 2020 and International best practices relating to Data Protection (collectively called “the Data Protection Rules”).
YOA is required to comply with the Data Protection Rules in respect of its processing of personal data such as customers’ records, employees’ records, business contacts, consultants’ details, prospects information, contractors’ details, suppliers’ details, and other parties that YOA interacts with. YOA acknowledges the need for these data to improve business processes and also understands the importance of respecting the privacy rights of all stakeholders interacting with the brand. This is why this policy has been developed to describe how personal data is collected, handled, and stored to meet global standards of data protection.
In this Policy, unless the context otherwise requires, the words in quotes have the meaning set against them:
i. “Computer” means Information Technology systems and devices, whether networked or not.
ii. ‘Consent’ of the Data Subject means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
iii. “Data” means characters, symbols, and binary on which operations are performed by a computer or manually, which may be stored or transmitted in the form of electronic signals, stored in any format or any device.
iv. “Database” means a collection of data organized in a manner that allows access, retrieval, deletion, and processing of that data; it includes but is not limited to structured, unstructured, cached, and file system type databases.
v. “Database Management System” means software that allows a computer to create a database; add, change, or delete data in the database; allows data in the database to be processed, sorted, or retrieved.
vi. “Data Subject” means any person, who can be identified, directly or indirectly, by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
vii. “Foreign Country” means other sovereign states, autonomous or semi-autonomous territories within the international community.
viii. “Regulation” means Nigeria Data Protection Regulation 2019 and its subsequent amendments, and where circumstance requires it shall also mean any other Regulations on the processing of information relating to identifiable individual’s, including the obtaining, holding, use, or disclosure of such information to protect such information from inappropriate access, use, or disclosure.
ix. “Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; or an organization. It can be anything from a name, address, phone number(s), a photo, an email address, bank details, posts on social networking, post on website forms, cookies, cache data, medical information, and other unique identifiers such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others;
x. “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether by automated means, such as collection, recording, organization, structuring, storing, adaptation or alteration, manipulation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
xi. “Relevant Authorities” means any Body or establishment that has the government’s mandate to deal solely or partly with matters regarding this Policy. For instance, National Information Technology Development Agency (“NITDA”)
3. TYPES OF INFORMATION PROCESSED BY YOA
The format or nature of the data YOA processes is subject to the relationship held with the data subject. YOA handles data subjects’ data as part of its role as an insurance broker in ensuring the best risk solutions. YOA may process the following:
• Information about the data subject – name, age, date of birth, nationality, gender, marital status.
• Means of Identification – name, date of birth, National Identity card Number (NIN), International Passport, Driver’s license, Voter’s card, etc.
• Contact information – email addresses, phone numbers, physical addresses, company address, website address, social media pages. All these were collected both online and offline
• Financial information – information related to payments made or received by the data subject.
• Contractual information – policy details, Service Level Agreements (SLA), Non-Disclosure Agreements (NDA)
• Health information – medical history and health background
• Operational information – information relating to business operations to guide in ascertaining risk profiles
4. DATA PROTECTION PRINCIPLES
YOA complies with the following principles concerning processing personal data:
1. Data is to be collected and processed under specific, legitimate, and lawful purpose(s) consented to by the Data Subject; provided that:
a. further processing may be done only for archiving, industry-based research, historical research, or statistical purposes for the public interest.
b. any person carrying out data processing shall not transfer any Personal Data to any person except it is required to be transferred to that person or a lawful request is made by another employee for it.
c. further processing may be done for product & service improvements, retargeting, and consented marketing.
2. Personal Data collected shall be adequate, accurate, and without prejudice to the human dignity of the Data Subject
3. Personal Data collected shall be stored only for the period within which it is reasonably needed.
4. Personal Data collected shall be secured, preferably in a Database Management System and a Customer Relationship Management Tool and protected against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damaged by rain, fire, or exposure to other natural elements.
5. PURPOSE OF COLLECTION OF PERSONAL DATA
YOA will obtain data from the data subject only after consent has been given. Data collected will not be used in any other manner different from how it was started when consent is being sought for. YOA may use data subject’s data for:
• Insurance placement on behalf of the data subject(s)
• Claims management on behalf of the data subject(s)
• Assessment of service rendered and insurance products sold
• Improvement of services and products rendered
• Fulfillment of legal or regulatory obligations
• For processes such as investigation of fraudulent claims and money laundering.
• For public interest in statistical, scientific, or historical research purposes.
• For efficient and effective product/service targeting
• Make follow-up calls and contacts.
6. METHODS OF COLLECTING PERSONAL DATA
• Know Your Customer (KYC)
• Forms – claims, feedback, recommendation, inquiry, website
• Forums and events that allow for data collection (customer service week, webinars, conferences, etc.)
• Conversations via telephone – Voice and SMS
• Social Media platforms – LinkedIn, Twitter, Instagram, Whatsapp Messages, Telegram etc.
• Employees physically engage customers
• Employers of data subjects who provide information for policies like group life and group health
• Family members
• Medical practitioner
• Legal representatives
• Credit reference agencies
• Loss adjusters.
8. SOCIAL MEDIA PLATFORMS
• The data subject(s) can be part of YOA’s execution via blogs and its social media platforms. YOA uses its social media platforms to enlighten its audience about insurance, the need to establish risk management techniques, and the promotion of financial inclusion.
• YOA will not be held accountable for any personal data shared publicly on YOA social media platforms.
• For data retrieved via campaigns such as email addresses, company names, and phone numbers provided by Data subjects, YOA will ask for consent from the data subject before any further processing.
9. THIRD-PARTY DATA PROCESSING CONTRACT
Data processing by a third party shall be governed by a written contract between the third party and YOA. The written contract with a third party to process the data obtained from Data Subjects shall include terms to ensure adherence to the Regulation.
10. LAWFUL PROCESSING OF DATA
Without ignoring the general principles set out above, processing of Data by YOA shall be lawful and permitted if at least one of the following applies:
1. The Data Subject has given consent to the processing of his or her Data for one or more specific purposes (for example, subscribing to a Policy, for filing out Claims Form, contacting for business opportunity, etc.).
2. Processing of the Data is necessary for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject before entering into a contract (for example, processing of Claims).
3. Processing is necessary for compliance with a legal obligation to which YOA is subject (for example, NAICOM Returns, NFIU Returns, etc.).
4. Processing is necessary to protect the vital interests of the Data Subject or another natural person (for example for Record-Keeping or Administrative Purposes),
5. Processing is necessary for the performance of a task carried out in the public interest (for example, for Corporate Social Responsibility Purposes, research purposes).
11. RIGHTS OF DATA SUBJECT
1. YOA shall take appropriate measures to provide any information relating to the data processing to the Data Subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and for any information. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means.
2. When requested by the Data Subject, the information may be provided orally. There must however be a record of this request by the Data Subject.
3. Where a YOA receives requests from Data Subjects relating to his or her Data, YOA shall at the end of every month put together a report on the requests and upload it on its Online Shared Folder.
4. The data subject can object to the use of his/her data for marketing. The Data subjects’ data will only be used for this purpose only after consent has been given by the data subject.
5. Except as otherwise provided by any public policy or Regulation, the information provided to the Data Subject and any communication, and any actions taken shall be provided free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular, because of their repetitive character, YOA may decide whether to either:
a. charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested; or,
b. write a letter to the Data Subject stating refusal act on the request and the grounds of such refusal. A copy of this letter shall be sent to NITDA on every such occasion through a dedicated channel which shall be provided for such purpose. (Not relevant)
6. Where YOA has reasonable doubts concerning the identity of the natural person requesting information, YOA may request the provision of additional information necessary to confirm the identity of the Data Subject.
7. The information to be provided to Data Subject may be provided in combination with standardized icons to give in an easily visible, intelligible, and legible manner a meaningful overview of the intended processing. Where the icons are presented electronically, they shall be machine-readable.
8. Where Personal Data is transferred to a foreign country or an international organization, the Data Subject shall have the right to be informed of the appropriate safeguards for data protection in the foreign country.
9. The Data Subject shall have the right to obtain from YOA without undue delay the rectification of inaccurate Personal Data concerning him or her. Considering the purposes of the processing, the Data Subject shall have the right to have incomplete Personal Data completed, including through providing a supplementary statement.
10. The Data Subject shall have the right to request YOA to delete his or her Data without delay, and YOA shall delete the Personal Data where one of the following grounds applies:
a. Personal Data is no longer necessary concerning the purposes for which they were collected or processed.
b. the Data Subject withdraws consent on which the processing is based.
c. the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing.
d. the Personal Data has been unlawfully obtained and/or processed, and
e. the Personal Data must be erased for compliance with a legal obligation in Nigeria.
11. Where YOA has made the Personal Data public and is obliged to delete the Personal Data, it shall take all reasonable steps to inform Controllers processing the Personal Data of the Data Subject’s request.
12. The Data Subject shall have the right to obtain from YOA restriction of processing where one of the following applies:
a. The accuracy of the Personal Data is contested by the Data Subject for a period enabling YOA to verify the accuracy of the Personal Data.
b. The processing is unlawful, and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead.
c. YOA no longer needs the Personal Data for processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims.
d. The Data Subject has objected to processing, pending the verification of whether the legitimate grounds of YOA override those of the Data Subject.
13. Where processing has been restricted, such Personal Data shall, except for storage, only be processed with the Data Subject’s consent or for the establishment, exercise, or defense of legal claims or the protection of the rights of another natural or legal person or for reasons of important public interest in Nigeria.
14. YOA shall communicate any rectification or erasure of Personal Data or restriction to each recipient to whom the Personal Data has been disclosed unless this proves impossible or involves disproportionate effort. YOA shall inform the Data Subject about those recipients if the Data Subject requests it.
15. The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to YOA, in a structured, commonly used, and machine-readable format. The Data Subject shall also have the right, where technically feasible, to transmit those data to another person or entity without hindrance from YOA where the processing is based on consent, or on a contract, and the processing is carried out by automated means.
16. The exercise of the foregoing rights shall conform with constitutionally guaranteed principles of law for the general protection and enforcement of fundamental rights.
12. TIME FRAME FOR KEEPING PERSONAL DATA
Except requested by the data subject to remove or delete data from any YOA DMS, personal data will be held for a reasonable amount of time and then archived.
In some instances, YOA will de-identify the data for research, statistical and analytic purposes to enhance the business. This will be done in conformity with the data protection laws.
• The data subject reserves the right to the use of his/her data and YOA will obtain consent before the use of personal data for marketing purposes
• YOA will ensure that marketing messages are relevant and properly targeted, but where the data subject opts to unsubscribe to these messages, this will be achieved by the unsubscribe guideline that will appear in every message (emails, newsletters, etc.)
• Individual information will not be used to run any of the digital campaigns that YOA will periodically run, and the data subject will see. If the data subject doesn’t want to see these campaigns anymore, he/she can adjust browser settings for cookies and adjust preference settings in the social media platform.
• YOA may retain data provided by the data subject via any YOA channel, even before a contract between YOA and data subject, but if such information is necessary for follow-up purposes. The data subject also has the right to request to stop following up on him/her.
14. POLICY IMPLEMENTATION GUIDELINES
• YOA shall ensure continuous capacity building such as training for the employee for Data Protection and the generality of its personnel involved in any form of data processing.
• YOA shall conduct a detailed audit of its privacy and data protection policy & practices at regular intervals not exceeding once a year
16. CONTACT DETAILS AND RESPONSIBILITY
Or via telephone on 01-2711345 or via email at email@example.com